API Attacks: What Are They, and How Can Universities Prepare?

 

2. Require Encryption Using HTTP/S

All API calls should be run over an encrypted tunnel, typically using HTTP/S (HTTP over TLS/SSL). This protects the data in transit and blocks most man-in-the-middle attacks. Early API adopters in higher education may have APIs that don’t require encryption: in-house developers may have thought that the on-campus network was secure, or that the overhead of encryption was going to slow things down. IT administrators should track down any unencrypted legacy APIs and insist on adding an encryption layer.

The unanticipated consequences of a shift to cloud computing make this even more urgent. API communications that originally may not have left a single rack in the university data center now can travel between different data centers across the open internet, without anyone thinking to check with the owner of the API.

As we’ve seen with recent attacks such as Salt Typhoon, carrier networks that were previously thought to be secure and untappable have been breached and data exfiltrated. A university with a direct link to a Tier 1 ISP connecting to a cloud data center can no longer assume that its traffic is secure against monitoring or modification.

3. Shut Down or Place Guardrails on Shadow IT APIs

Some of the biggest API breaches have come from developers who have used cloud-based services for temporary deployments or for testing. Unprotected databases and storage buckets give attackers the ability to siphon off every bit of data at multigigabit speeds. IT managers won’t make friends with a heavy-handed approach, but they still should insist on a strict policy that any API in any data center be secure from the first instantiation.

It’s best to have full authentication and authorization, but a compromise approach based on IP access lists and some simple username/password authentication can be acceptable for low-risk APIs without sensitive data behind them.  Even so, it’s on the IT manager’s plate to ensure that a short-term test project doesn’t turn into a permanent API just because no one makes the effort to shut it down or secure it.

GO DEEPER: Reducing the “blast radius” of breaches with a zero-trust strategy.

4. Make Higher Education APIs Self-Protective

The tendency in programmers is to assume that other developers are well-behaved, but that’s just not true, especially when attackers using APIs easily masquerade as legitimate applications. This means that APIs must be self-protective. They should validate all inputs. This is easier in the world of XML than it used to be, so pushing developers to use JSON or XML in their APIs can help where performance allows it, and sanitize them against possible attacks such as SQL and command or shell injection.

APIs should also implement rate limiting and request throttling. This helps not only with attackers trying to dump an entire data set but also with attackers who might be launching a Denial of Service attack.  Rate limits can be tied to authorization or API keys to exempt or extend limits for trusted and privileged app-to-app communications.

5. Link APIs to Other Security Infrastructure

Because APIs are where programs meet other programs, traditional in-application error handling and logging isn’t always appropriate. When an API is called, that’s not all that different from security point of view from any web application: Someone, very possibly an attacker, is trying to connect to your infrastructure and extract or modify data. This means that API logging has security implications and should flow accordingly.

Different campuses have different security tools, but all APIs should log both success and errors to some sort of central service (not individual local log files), and some of that information should continue to flow to the campus security tools, such as security information and event management solutions. Once the information is accessible, traditional security anomaly detection tools and break-in detection analyzers can do their work and proactively identify attacks and possible flaws.

APIs in higher education have the potential to deliver better applications and more powerful tools. IT managers must properly secure and monitor their use to ensure that they don’t become a doorway for attackers.